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The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 

WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )|3 Responsive to communication(s) filed on RCE on 11/13/2007 . 
2a)D This action is FINAL. 2b)S This action is non-final 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^3 Claim(s) 55-74 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) ^ Claim(s) 55-74 is/are rejected. 

7) Q Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10)13 The drawing(s) filed on 10 September 2003 is/are: a)E3 accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 1 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 
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2.D Certified copies of the priority documents have been received in Application No. . 
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DETAILED ACTION 

1 . Currently pending claims are 55 - 74. 

Continued Examination Under 37 CFR 1.114 

2. A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible 
for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has 
been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 
CFR 1.114. Applicant's submission filed on 11/13/2007 has been entered. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

A person shall be entitled to a patent unless - 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 
of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art 
to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was 
made. 

3. Claims 55 - 60, 62, 63, 65 - 68 and 70 - 73 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Cheng et al. (U.S. Patent 6,823,462), in view of Kuhn et al. (U.S. 
Patent 6,023,765). 

As per claim 55, 65 and 70, Cheng teaches method comprising: 
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populating an access control list with a destination user group identifier, wherein said 
destination user group identifier identifies a destination user group of a destination (Cheng: 
Column 5 Line 31 - 38 and Column 6 Line 63 - 65: the group / category rules-based database 
is qualified as an access control list with a destination group name / ID that requires a common 
security policy with the source nodes to allow the data flows between the nodes), 

said access control list comprises a source user group field configured to store a source 
user group identifier and a destination user group field configured to store a destination user 
group identifier, said source user group comprises a plurality of source network devices, said 
destination user group comprises a plurality of destination network devices (Cheng: Column 5 
Line 36 - 38 and Column 6 Line 2 - 6 & Figure 5: the local ID is considered as the source group 
ID and the remote ID is interpreted as the destination group ID), said source user group is 
assigned to said source based on a role of said source (see Kuhn below) , and 

said access control list is configured to allow said source user group identifier 
and said destination user group identifier to be compared (Cheng: Column 6 Line 63 - 65: only 
those source / destination group identifiers that match the same traffic profile policies are 
allowed to flow between the nodes). 

Kuhn teaches said source user group is assigned to said source based on a role of said 
source (Kuhn: Column 2 Line 27 - 34, Column 1 Line 54 - 60, Column 3 Line 42 - 48 and 
Column 4 Line 41 -45: In role-based access control (RBAC) systems, access to an object 
within a computer system is provided to the members of groups termed "roles"; all subjects 
belonging to a given role have the same privileges to access various objects within the system 
and, with RBAC, security is managed at a level that corresponds closely to the organization's 
structure according to each user's role. This is also consistent with the disclosure of the instant 
specification "the user's user group is identified and assigned to the user as a source group tag 
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(SGT), which corresponds to the user's role (e.g., engineering, management, marketing, sales 
or the like) " (SPEC: Page 21 / Para [0079]). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Kuhn within the system of Cheng because (a) 
Cheng teaches a means to identify a source user group by using a look-up table to match a 
source address with a source group identifier at a proxy-server network device (Cheng: Column 
5 Line 31 - 38 and Column 6 Line 63 - 65) and (b) Kuhn teaches proposing a more efficient 
method of role-based access control (RBAC) systems where access to an object within a 
computer system is provided to the members of groups termed "roles" that can offer the 
advantages to greatly simplify the process required in response to a change of job status of 
individuals within an organization that can be then realized without loss of the security needs 
(Kuhn: Column 2 Line 27 - 34, Column 1 Line 54 - 60, Column 3 Line 42 - 48 and Column 4 
Line 41 -45). 

As per claim 56, Cheng as modified teaches said destination user group is assigned to 
said destination based on a role of said destination (Cheng: Column 7 Line 26 - 30: with respect 
to "security" role) & (Kuhn: Column 2 Line 27 - 34, Column 1 Line 54 - 60, Column 3 Line 42 - 
48 and Column 4 Line 41 - 45). 

As per claim 57, Cheng as modified teaches said populating is performed by a network 
device and comprises sending a request to another network device, and receiving a response 
from said another network device, wherein said response includes said destination user group 
identifier, and said destination user group identifier identifies said destination user group 
(Cheng: Column 7 Line 35 - 40 and Column 8 Line 5 - 6). 
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As per claim 58, 66 and 71 , Cheng as modified teaches comparing a user group of a 
packet with said destination user group (Cheng: Column 6 Line 63 - 65: only those source / 
destination group identifiers that match the same traffic profile policies are allowed to flow 
between the nodes). 

As per claim 59, 67 and 72, Cheng as modified teaches said user group of said packet is 
a source user group, said destination user group is a user group of a destination of said packet, 
and said destination is said destination of said packet (Cheng: Column 5 Line 36 - 38 and 
Column 6 Line 2 - 6 & Figure 5: the local ID is considered as the source group ID and the 
remote ID is interpreted as the destination group ID that associates with a packet). 

As per claim 60, Cheng as modified teaches said source user group is assigned to a 
source of said packet based on a role of said source, and said destination user group is 
assigned to said destination based on a role of said destination (Cheng: Column 7 Line 26 - 30: 
with respect to "security" role) & (Kuhn: Column 2 Line 27 - 34, Column 1 Line 54 - 60, Column 
3 Line 42 - 48 and Column 4 Line 41 - 45). 

As per claim 62, 68 and 73, Cheng as modified teaches determining said source user 
group; and determining said destination user group by looking up said destination user group in 
an access control list (Cheng: Column 5 Line 31 - 38 and Column 6 Line 63 - 65: the look-up 
table is considered as the group / category rules-based database, which is qualified as an 
access control list with a destination group name / ID that requires a common security policy 
with the source nodes to allow the data flows between the nodes). 
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As per claim 63, Cheng as modified teaches said access control list is a role-based 
access control list (Cheng: Column 7 Line 26 - 30: i.e., "security" role based) & (Kuhn: Column 
2 Line 27 - 34, Column 1 Line 54 - 60, Column 3 Line 42 - 48 and Column 4 Line 41 - 45). 

4. Claims 61, 64, 69 and 74 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Cheng et al. (U.S. Patent 6,823,462), in view of Kuhn et al. (U.S. Patent 6,023,765), and in 
view of Li (U.S. Patent 6,711,172). 

As per claim 61, Cheng as modified teaches said destination user group is indicated by 
a destination user group and said source user group is indicated by a source user group 
identifier (Cheng: Column 5 Line 31 - 38 and Column 6 Line 63 - 65). However, Cheng does 
not teach a source user group identifier stored in said packet. 

Li teaches a source user group identifier stored in said packet (Li: Column 4 Line 8-13: 
a pair of group / source address on the packet is used to route the packet). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Li within the system of Cheng as modified 
because (a) Cheng teaches a means to identify a source user group by using a look-up table to 
match a source address with a source group identifier at a proxy-server network device (Cheng: 
Column 5 Line 31 - 38 and Column 6 Line 63 - 65) and (b) Li teaches proposing a more 
efficient method routing the packet from a source to group members by encoding a pair of group 
/ source address directly on the packet (Li: Column 3 Line 34 - 42 / Line 20 - 23 / Line 1 - 4 
and Column 4 Line 8 - 13). 
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As per claim 64, 69 and 74, Cheng as modified teaches said source user group identifier 
identifies said source user group (Cheng: Column 5 Line 31 - 38 and Column 6 Line 63 - 65). 
However, Cheng does not teach extracting a source user group identifier from said packet. 

Li teaches extracting a source user group identifier from said packet (Li: Column 4 Line 8 
- 13: a pair of group / source address on the packet is used to route the packet and thereby, a 
source user group identifier can thus be extracted from the packet accordingly). See same 
rationale of combination applied herein as above in rejecting the claim 61. 



Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Longbit Chai whose telephone number is 571-272-3788. The examiner 
can normally be reached on Monday-Friday 9:00am-5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




Lortgbit Chai, Ph.D 
Patent Examiner 
Art Unit 2131 
1/24/2008 



